CORS & example.com

Question

I have a trouble with CORS. I use an API which has

Access-Control-Allow-Origin: http://www.example.com

Because of that, I can\'t access the i

Answer 1

if you are accessing the other origin(host) from your origin then you will not access the api in ajax call because other origin will have been disallow the access of another host. So to access the api you need to allow the particular path pattern on server side which you want to access.

web.xml file in java project.

<web-app>
  <filter>
     <filter-name>myFilter</filter-name>
     <filter-class>CorsFilter</filter-class>
  </filter>
  <filter-mapping>
     <filter-name>myFilter</filter-name>
     <url-pattern>/rest/*</url-pattern>
  </filter-mapping>
  <servlet>
     <servlet-name>myRestPath</servlet-name>
     <servlet-class>com.MyServlet</servlet-class>
  </servlet>
  <servlet-mapping>
     <url-pattern>/rest/*</url-pattern>
     <servlet-name>myRestPath</servlet-name>
  </servlet-mapping>
</web-app>

You can edit your login in MyFilter.java file or you can also add the init parameter in web.xml file.

MyFilter.java

public class CorsFilter implements Filter{

 @Override
 public void init(FilterConfig fConfig) throws ServletException {
    // do something
  }

 @Override
 public void doFilter(ServletRequest request, ServletResponse response, 
 FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) request;
    HttpServletResponse response = (HttpServletResponse) response;

    //here * is used to allow all the origin i.e. anyone can access the api
    response.addHeader("Access-Control-Allow-Origin", "*");

    // methods which is allowable from the filter
    response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS,PUT, DELETE, HEAD");

    //custom header entry
    response.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept");
    filterChain.doFilter(request, response);
 }

 @Override
 public void destroy() {
   //do something
 }

 }

I think it will be right solution for your query.

Answer 2

Is there anything I can do to get the data hidden behind this ?

No, not with pure client code, but Yes if you can involve a custom server. See possible work-arounds discussed below.

Same origin security in a browser prevents an Ajax request to a page at origin Y when that request is made from a web page that is not also origin Y. This can only be changed by having the server that is serving the request enable CORS from the origin who's page you are making the request from or from all origins. The only way to change that is by changing the CORS support on the API server. There is nothing you can do purely on the client side to override the same origin protections. And, if there was a pure client thing that could override it, it would be quickly closed as a security hole.

Same origin protections do not apply to a URL typed into the URL bar since there is no "origin" that is different than the URL entered into the URL bar. That explains why you can access the API server by typing URLs directly into the URL bar. The same origin protections for Ajax calls made from a web page are additional security measures implemented by the browser that do not apply when entering a URL directly into the URL bar. But, there is no way to use this capability from Javascript to skirt the same origin protections because Javascript cannot freely reach across windows of different origins.

There are some possible work-arounds.

1. If the API server supports JSONP, then you could use that. But, since JSONP is specifically for cross origin requests, if the API server isn't allowing cross origin requests with a regular Ajax request, then they probably wouldn't be allowing them via JSONP.

2. You can implement your own server proxy. From your existing web page, you would make a request of your own server proxy. That proxy would either already be on the same origin as your web page or would support CORS from at least the origin on your web page so that the Ajax call to your own server proxy would be permitted. Your server proxy would then call the API server to get the results you want and return them via the Ajax call made to the server proxy. Since same origin protections are implemented and enforced only in the browser for Ajax calls made from the browser, the server proxy is not limited by them and it can freely access the API server.

Answer 3

No.

If the Access-Control-Allow-Origin header is example.com and you're attempting to access it from any other origin, you won't be able to.